File name:

Bonzify.exe

Full analysis: https://app.any.run/tasks/c2282b20-dd16-455b-932b-6ed7a1893645
Verdict: Malicious activity
Analysis date: September 05, 2024, 11:18:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FBA93D8D029E85E0CDE3759B7903CEE2

SHA1:

525B1AA549188F4565C75AB69E51F927204CA384

SHA256:

66F62408DFCE7C4A5718D2759F1D35721CA22077398850277D16E1FCA87FE764

SSDEEP:

196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3m:OaWedh+Idx75QYub//73lc6u7bLMYxDm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • INSTALLER.exe (PID: 2816)
      • INSTALLER.exe (PID: 2520)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • Bonzify.exe (PID: 7004)

    • Starts CMD.EXE for commands execution

      • Bonzify.exe (PID: 7004)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 6752)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6752)

    • Executable content was dropped or overwritten

      • Bonzify.exe (PID: 7004)
      • INSTALLER.exe (PID: 2816)
      • INSTALLER.exe (PID: 2520)

    • Process drops legitimate windows executable

      • INSTALLER.exe (PID: 2816)
      • Bonzify.exe (PID: 7004)
      • INSTALLER.exe (PID: 2520)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 6752)

    • Starts a Microsoft application from unusual location

      • INSTALLER.exe (PID: 2520)
      • INSTALLER.exe (PID: 2816)

  • INFO

    • Checks supported languages

      • Bonzify.exe (PID: 7004)

    • Create files in a temporary directory

      • Bonzify.exe (PID: 7004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (80.4)
.exe | Win32 Executable MS Visual C++ (generic) (8.2)
.exe | Win64 Executable (generic) (7.3)
.dll | Win32 Dynamic Link Library (generic) (1.7)
.exe | Win32 Executable (generic) (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:13 11:42:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 4096
InitializedDataSize: 6696960
UninitializedDataSize: -
EntryPoint: 0x16b0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
26
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bonzify.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs agentsvr.exe no specs grpconv.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs grpconv.exe no specs agentsvr.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe no specs mobsync.exe no specs bonzify.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020regsvr32 /s "C:\WINDOWS\msagent\AgentCtl.dll"C:\Windows\SysWOW64\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2520INSTALLER.exe /qC:\Users\admin\AppData\Local\Temp\INSTALLER.exe
Bonzify.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
4.71.1015.0
2520C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2572regsvr32 /s C:\WINDOWS\lhsp\tv\tvenuax.dllC:\Windows\SysWOW64\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2684"C:\WINDOWS\msagent\AgentSvr.exe" /regserverC:\Windows\msagent\AgentSvr.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Agent Server
Exit code:
0
Version:
2.00.0.2202
2816INSTALLER.exe /qC:\Users\admin\AppData\Local\Temp\INSTALLER.exe
Bonzify.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
4.71.1015.0
3180regsvr32 /s "C:\WINDOWS\msagent\mslwvtts.dll"C:\Windows\SysWOW64\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4056regsvr32 /s "C:\WINDOWS\msagent\AgentMPx.dll"C:\Windows\SysWOW64\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4084regsvr32 /s "C:\WINDOWS\msagent\AgentDP2.dll"C:\Windows\SysWOW64\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
55
Suspicious files
33
Text files
64
Unknown types
6

Dropped files

PID
Process
Filename
Type
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLLexecutable
MD5:316999655FEF30C52C3854751C663996
SHA256:EA4CA740CD60D2C88280FF8115BF354876478EF27E9E676D8B66601B4E900BA0
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLLexecutable
MD5:7C5AEFB11E797129C9E90F279FBDF71B
SHA256:394A17150B8774E507B8F368C2C248C10FCE50FC43184B744E771F0E79ECAFED
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLLexecutable
MD5:0CBF0F4C9E54D12D34CD1A772BA799E1
SHA256:6B0B57E5B27D901F4F106B236C58D0B2551B384531A8F3DAD6C06ED4261424B1
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXTtext
MD5:7070B77ED401307D2E9A0F8EAAAA543B
SHA256:225D227ABBD45BF54D01DFC9FA6E54208BF5AE452A32CC75B15D86456A669712
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLLexecutable
MD5:81E5C8596A7E4E98117F5C5143293020
SHA256:7D126ED85DF9705EC4F38BD52A73B621CF64DD87A3E8F9429A569F3F82F74004
7004Bonzify.exeC:\Windows\executables.binbinary
MD5:1F3566FC3700775016BE546F9BEBD9E9
SHA256:829DECB1EE9CC6861774CA87440DB2AD43CEAAE39A2468E29A4A04AA9A5BE794
7004Bonzify.exeC:\Users\admin\AppData\Local\Temp\INSTALLER.exeexecutable
MD5:66996A076065EBDCDAC85FF9637CEAE0
SHA256:16CA09AD70561F413376AD72550AE5664C89C6A76C85C872FFE2CB1E7F49E2AA
7004Bonzify.exeC:\Users\admin\AppData\Local\Temp\TakeOwn.battext
MD5:F80E36CD406022944558D8A099DB0FA7
SHA256:7B41E5A6C2DD92F60C38CB4FE09DCBE378C3E99443F7BAF079ECE3608497BDC7
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLLexecutable
MD5:237E13B95AB37D0141CF0BC585B8DB94
SHA256:D19B6B7C57BCEE7239526339E683F62D9C2F9690947D0A446001377F0B56103A
2816INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLBexecutable
MD5:F1656B80EAAE5E5201DCBFBCD3523691
SHA256:3F8ADC1E332DD5C252BBCF92BF6079B38A74D360D94979169206DB34E6A24CD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
26
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1356
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6404
RUXIMICS.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
404
184.86.251.7:443
https://r.bing.com/rb/4N/jnc,nj/Btu7tBP0vQIHDIMxag4vCxAtQuY.js?bu=FrYs9ir8AYcriyuNK48rtCu9LIMs_BGfLKUswSz8AfwBpSjmK_oR8RH6K-sr&or=w
unknown
2120
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.86.251.19:443
https://www.bing.com/fd/ls/l?IG=16800713CD244755B15D5E88DF9D3BC0&Type=Event.ClientInst&DATA=[{%22T%22:%22CI.ClientInst%22,%22FID%22:%22CI%22,%22Name%22:%22max%20errors%20reached%22}]
unknown
GET
304
184.86.251.24:443
https://r.bing.com/rb/19/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B74CSK0CiwFdXcoC&or=w
unknown
GET
200
184.86.251.7:443
https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js
unknown
s
20.3 Kb
POST
204
184.86.251.23:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
GET
200
184.86.251.16:443
https://r.bing.com/rb/6h/ortl,cc,nc/_BjeFNPDJ-N9umMValublyrbq4Y.css?bu=CZEMtgqWDLYKmgy2CrYKtgq2Cg&or=w
unknown
text
428 Kb
POST
204
184.86.251.17:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6404
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1356
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
1356
svchost.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
6404
RUXIMICS.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
2120
MoUsoCoreWorker.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
1356
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
www.microsoft.com
  • 23.32.185.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
r.bing.com
  • 184.86.251.19
  • 184.86.251.15
  • 184.86.251.14
  • 184.86.251.16
  • 184.86.251.21
  • 184.86.251.22
  • 184.86.251.20
  • 184.86.251.17
  • 184.86.251.11
whitelisted
www.bing.com
  • 184.86.251.5
  • 184.86.251.27
  • 184.86.251.4
  • 184.86.251.26
  • 184.86.251.8
  • 184.86.251.25
  • 184.86.251.30
  • 184.86.251.7
  • 184.86.251.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Bonzify.exe